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Abstract 

By applying Grover's quantum search algorithm to the lattice algorithms of 
Micciancio and Voulgaris, Nguyen and Vidick, Wang et al., and Pujol and Stehle, 
we obtain improved asymptotic quantum results for solving the shortest vector 
problem. With quantum computers we can provably find a shortest vector in time 
2l.799n+o(«) ^ i m p rov i n g upon the classical time complexity of 2 2 - 465m+ °(") of Pujol 
and Stehle and the 2 ln + ( n ) of Micciancio and Voulgaris, while heuristically we 
expect to find a shortest vector in time 2 312 "+°("\ improving upon the classical 
time complexity of 2 - 384n +°C n ) of Wang et al. These quantum complexities will be 
an important guide for the selection of parameters for post-quantum cryptosystems 
based on the hardness of the shortest vector problem. 



1 Introduction 

Large-scale quantum computers will redefine the landscape of computationally secure 
cryptography, including breaking public -key cryptography based on integer factor- 
ization or the discrete logarithm problem Il54l or the Principle Ideal Problem in in 
real quadratic number fields ll23l . providing sub-exponential attacks for some systems 
based on elliptic curve isogenies 03], speeding up exhaustive searching |9]ET) and 
(with appropriate assumptions about the computing architecture) finding collisions and 
claws fll fTTUTZl . among many other quantum algorithmic speed-ups 1 14, 40l l55l . 

Currently, a small set of systems [8 | are being studied intensely as possible sys- 
tems to replace those broken by large-scale quantum computers. These systems can be 
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implemented with conventional technologies and to date seem resistant to substantial 
quantum attacks. It is critical that these systems receive intense scrutiny for possible 
quantum or classical attacks. This will boost confidence in the resistance of these sys- 
tems to (quantum) attacks, and allow us to fine-tune secure choices of parameters in 
practical implementations of these systems. 

One such set of systems bases its security on the computational hardness of certain 
lattice problems. Since the late 1990s, there has been a lot of research into the area of 
lattice-based cryptography, resulting in encryption schemes [25,48], digital signature 
schemes lfl9l[37l and even fully homomorphic encryption schemes [10 20|. Each of 
the lattice problems that underpin the security of these systems can be reduced to the 
shortest vector problem. For a more detailed summary on the security of lattice-based 
cryptography, see 113311431 . 

In this paper, we closely study the best-known algorithms for solving the shortest 
vector problem on a lattice, and how quantum algorithms may speed up these attacks. 
By challenging and improving the best asymptotic complexity of such attacks, we in- 
crease the confidence in the security of lattice-based schemes. Understanding these 
attacks is critical when selecting key-sizes and other security parameters. 

1.1 Lattices 

Lattices are discrete subgroups of M". Given a set of n linearly independent vec- 
tors B — {bi, . . . ,b„} in R", we define the lattice generated by these vectors as L = 
{L?=i : 6 Z}. We call the set B a basis of the lattice L. This basis is not unique; 
applying a unimodular matrix transformation to the vectors of B leads to a new basis 
B' of the same lattice L. 

In lattices, we generally work with the Euclidean or ^2 -norm, which we will denote 
by || • || . For bases B, we write ||B|| = max,- ||b,||. We refer to a vector s E L \ {0} 
such that ||s| < ||v|| for any v € L\ {0} as a shortest vector of the lattice. Its length is 
denoted by X\ (L). Given a basis B, we write S?(B) = {L"=i : < A,- < 1} for the 
fundamental domain of B. 

One of the most important hard problems in the theory of lattices is the Shortest 
Vector Problem (S VP). Given a basis of a lattice, the Shortest Vector Problem consists 
of finding a shortest vector in this lattice. In many applications, finding a short vector 
instead of a shortest vector is also sufficient. The Approximate Shortest Vector Problem 
with approximation factor y (SVPy) asks to find a non-zero lattice vector \ £ L with 
length bounded from above by ||v|| < yXi(L). 

1.2 Related work 

The Approximate Shortest Vector problem is integral in the cryptanalysis of lattice- 
based cryptography [17]. For small values of y, this problem is known to be NP- 
hard J2][29l, while for certain exponentially large 7, polynomial time algorithms exist, 
such as the LLL algorithm of Lenstra, Lenstra and Lovasz 0351 . Other algorithms 
trade running time for a better approximation factor 7, such as the LLL algorithm with 
deep insertions [52] and the BKZ algorithm of Schnorr and Euchner [52|. The latter 
algorithm requires an exact SVP algorithm for lower dimensions as a subroutine. The 
current state-of-the-art for classically finding short vectors is BKZ 2.0 fl3l . which is 
essentially the original BKZ algorithm with the improved SVP subroutine of Gama et 
al. 1181 . Implementations of this algorithm, due to Chen and Nguyen [13|, and Aono 
and Naganuma |5 |, currently dominate the Lattice Challenge Hall of Fame [34|. 
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In 2003, Ludwig Il36ll used quantum algorithms to speed up one such basis reduc- 
tion algorithm, Random Sampling Reduction (RSR), which is due to Schnorr ll53l . By 
replacing a random sampling from a big list by a quantum search, Ludwig achieves 
a quantum algorithm that is asymptotically faster than previous results. Ludwig also 
details the effect that this faster quantum algorithm would have had on the practical 
security of the lattice-based encryption scheme NTRU [25], had there been a quantum 
computer in 2005. 

In the cryptanalysis of schemes that are based on lattice problems, it is often suf- 
ficient to find a short vector and not necessarily a shortest vector. In this setting, basis 
reduction algorithms such as BKZ seem to be more efficient than exact (and generally 
exponential) S VP algorithms. However, S VP solvers are still relevant for lattice-based 
cryptography, because the BKZ algorithm also requires an efficient low-dimensional 
SVP algorithm as a subroutine. Several methods are known for finding a shortest vec- 
tor and in theory each of these could be used as a subroutine for BKZ. For SVP solvers 
there is a similar online challenge ll56l . where the record is currently held by Kuo et 
al. 1301 . 

1.2.1 Enumeration. 

The classical method for finding shortest vectors is enumeration, dating back to work 
by Pohst |42), Kannan d and Fincke and Pohst Q21 in the first half of the 1980s. 
In order to find a shortest vector, one enumerates all lattice vectors inside a giant ball 
around the origin. If the input basis is only LLL-reduced, enumeration runs in 2°^ n ' 
time, where n is the lattice dimension. The algorithm by Kannan uses a stronger pre- 
processing of the input basis, and runs in 2 (" log ") time. Both approaches use only 
polynomial space in n. 

1.2.2 Sieving/Saturation. 

In 2001, Ajtai et al. Q introduced a technique called sieving, leading to the first al- 
gorithm to solve SVP in time 2°W. Starting with a huge list of short vectors, the 
algorithm repeatedly applies a sieve to this list to end up with a smaller list of shorter 
lattice vectors. After several iterations we hope to be left with a list of lattice vectors of 
length 0(X\ (L)). Due to the size of the list, the space requirement of sieving is 2°W. 
Later work [24. 39, 41, 46 1 investigated the constants in both exponents and ways to 
reduce these. 

Recently, in 2009, Micciancio and Voulgaris 11391 started a new branch of siev- 
ing algorithms, which may be more appropriately called saturation algorithms. While 
sieving starts out with a long list and repeatedly applies a sieve to reduce its length, 
saturation algorithms iteratively add vectors to an initially empty list, hoping that at 
some point the space of short lattice vectors is "saturated", and two of the vectors in 
the list are at most Ai (L) apart. The time and space requirements of these algorithms 
are also 2°W. In 2009, Pujol and Stehle 04) showed that with this method, SVP can 
provably be solved in time 2 2 - 465 " +0 M. 

1.2.3 Voronoi. 

In 2010, Micciancio and Voulgaris presented another algorithm for solving SVP based 
on constructing the Voronoi cell of the lattice [38]. In time 2 2 " + °("' and space 2 n+ "( n \ 
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this algorithm is able to find a shortest vector in any lattice. Currently this is the best 
provable asymptotic result for classical S VP solvers. 

1.2.4 Practice. 

While many methods have surpassed the enumeration algorithms in terms of classical 
provable asymptotic time complexities, in practice the enumeration methods still dom- 
inate the field. The version of enumeration that is currently used in practice is due to 
Schnorr and Euchner [52 1 with improvements by Gama et al. [ 18 1. It does not incorpo- 
rate the stronger version of preprocessing of Kannan [28 1 and hence has an asymptotic 
time complexity of 2°( n ' . However, due to the small hidden constants in the exponents 
and the exponential space complexity of the other algorithms, enumeration is actually 
faster than other methods for common values of n. That said, the other methods are 
still quite new, so a further study of these other methods may tip the balance. 

1.3 Quantum search 

In this paper we will study how quantum algorithms can be used to speed up the SVP 
algorithms outlined above. For this, we will make use of Grover's quantum search 
algorithm [21 1, which considers the following problem: 

Given a list L of length N and a function / : L — !• {0, 1}, such that the number of 
elements e Eh with /(e) = 1 is small. Construct an algorithm "search" that, given L 
and / as input, returns an e E L with /(e) = 1 , or determines that (with high probability) 
no such e exists. We assume for simplicity that / can be evaluated in unit time. 

1.3.1 Classical algorithm. 

With classical computers, the natural way to find such an element is to go through the 
whole list, until one of these elements is found. This takes on average 0(N) time. This 
is also optimal up to a constant factor; no classical algorithm can find such an element 
in less than Q.(N) time. 

1.3.2 Quantum algorithm. 

Using quantum search (9]|2T], we can find such an element in time 0(^/N). This is 
optimal up to a constant factor, as any quantum algorithm needs at least Q.(^/N) eval- 
uations of / H . 

Throughout the paper, we will write x <— search^ (/(e) = 1) to highlight subrou- 
tines that perform a search in a long list. This assignment returns true if an element 
e E L with /(e) = 1 exists (and assigns such an element to x), and returns false if no 
such e exists. This allows us to give one description for both the classical and quantum 
versions of each algorithm, as the only difference between the two versions is which 
version of the subroutine is used. 

For both of these classical and quantum algorithms, we assume a RAM model of 
computation where the y'th entry of the list L can be looked up in constant time (or 
polylogarithmic time). In the case that L is a virtual list where the jth element can be 
computed in time polynomial in the length of j (thus polylogarithmic in the length of 
the list L), then look-up time is not an issue. When L is indeed an unstructured list 
of values, for classical computation, the assumption of a RAM-like model has usually 
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been valid in practice. However, there are fundamental reasons for questioning it J7), 
and there are practical computing architectures where the assumption does not apply. 
In the case of quantum computation, a practical RAM-like quantum memory looks par- 
ticularly challenging, especially for first generation quantum computers. Some authors 
have studied the limitations of quantum algorithms in this context Il7l l22ll26l . 

Some algorithms (e.g. |4]) must store a large database of information in regu- 
lar quantum memory (that is, memory capable of storing quantum superpositions of 
states). In contrast, quantum searching an actual list of N (classical) strings requires 
the N values to be stored in quantumly addressable classical memory (e.g. as Kuper- 
berg discusses in [32 1) and 0(logN) regular qubits. Quantumly addressable classical 
memory in principle could be much easier to realize in practice than regular qubits. 
Furthermore, quantum searching for a value x 6 {0, 1}" satisfying f(x) = 1 for a func- 
tion / : {0, 1}" — > {0, 1} and which can be implemented by a circuit on 0(n) qubits 
only requires 0(n) regular qubits, and there is no actual list to be stored in memory. In 
this paper, the quantum search algorithms used require the lists of size N to be stored in 
quantumly addressable classical memory and use Oi\ogN) regular qubits and 0(\/N) 
queries into the list of numbers. 

In this work, we consider (conventional) classical RAM memories for the classical 
algorithms, and RAM-like quantumly addressable classical memories for the quantum 
search algorithms. This is both a first step for future studies in assessing the impact 
of more practical quantum architectures, and also represents a more conservative ap- 
proach in determining parameter choices for lattice-based cryptography that should be 
resistant against the potential power of quantum algorithmic attacks. 



1.4 Contributions and outline 

In this paper, we show that quantum algorithms can significantly speed up sieving and 
saturation algorithms. The constant in the exponent decreases by approximately 25% 
in all cases, leading to an improvement upon both provable and heuristic asymptotic 
results for solving the Shortest Vector Problem: 

• Provably, we can find a shortest vector in any lattice in time 2 1 799 "+°M 

• Heuristic ally, we can find a shortest vector in any lattice in time 2°- 312 "+°("). 

• Extrapolating from classical experiments, with quantum computers we expect to 
be able to find a shortest vector in any lattice in time about 2 39n . 

Table Q] contains a comparison between our contributions and previous results, in both 
the classical and quantum setting. While the Voronoi Cell algorithm is asymptotically 
the best algorithm in the provable classical setting, our quantum saturation algorithm 
has better asymptotics in the provable quantum setting. 

Why do we only consider sieving and saturation algorithms, and not the more prac- 
tical enumeration or the theoretically faster Voronoi cell algorithms? It turns out that 
it is not as simple to significantly speed up these algorithms using similar techniques. 
For some intuition why this is the case, see AppendixICl 

The outline of this paper is as follows. In Section|2]we look at sieving algorithms, 
and how quantum algorithms lead to speed-ups. In Section [3] we look at saturation 
algorithms, and their estimated time and space complexities on a quantum computer. 
Technical details regarding some of these results can be found in Appendices lAl and iBl 
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Table 1: A comparison of the results as expressed in logarithmic leading order terms. 





Classical 


Quantum 




Algorithm 


Time 


Space 


Time 


Space 




(Enumeration) 


0(n logn) 


0(1) 






(App.O 


Pujol and Stehle l44l 


2.47« 


1.24w 


1.80n 


1.29« 


(Sec. ED 


(Voronoi) 


2.00n 


l.OOn 






(App.0 


Micciancio and Voulgaris [39 1 


0.52« 


0.21n 


0.39n 


0.21« 


(Sec.TTn 


Nguyen and Vidick [41 1 


0.42n 


0.21n 


0.32n 


0.21« 


(Sec.O) 


Wang et al. B71 


0.39« 


0.26n 


0.32« 


0.21n 


(Sec.O) 



Algorithm 1 The Heuristic Sieve Algorithm of Nguyen and Vidick 

Input: An LLL-reduced basis B of L, and constants y G ( § , 1 ) and N = 2°W 
Output: A short non-zero lattice vector s 

for i <- 1 to N do 

ve« B„(o,||B||)nL 

5^5U{v} 
while S\{0} 7^0 do 
5 prev ^5\{0} 

C^{0} 

for all v G 5p rev do 

if c <— search CG c(||v — c|| < yR) then 

S^SU{\-c} 
else 

C^CU{v} 

s «- argmin v6Sprev ||v|| 
return s 



2 Sieving algorithms 

Sieving was first introduced by Ajtai et al. [3] and later improved theoretically 02411391 
41 46 1 and practically B41II57I in various papers. In these algorithms, first an exponen- 
tially long list of lattice vectors is generated. Then, by iteratively applying a sieve to 
this list, the size of the list, as well as the lengths of the vectors in the list are reduced. 
After a polynomial number of applications of the sieve, we hope to be left with a short 
but non-empty list of very short vectors, from which we can then obtain a shortest 
vector of the lattice. 

2.1 The Heuristic Algorithm of Nguyen and Vidick 

Nguyen and Vidick BP considered a heuristic, practical variant of the sieve algorithm 
of Ajtai et al. Q, which provably returns a shortest vector under a certain natural, 
heuristic assumption. A slightly modified but equivalent version of this algorithm is 
given in Algorithm Q] 
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2.1.1 Description of the algorithm. 

The algorithm starts by generating a big list S of random lattice vectors with length 
at most ||Z?||. Then, by repeatedly applying a sieve to this list, shorter lists of shorter 
vectors are obtained, until the list is completely depleted. In that case, we go back one 
step, and look for the closest pair of lattice vectors in the last non-empty list. 

The sieving step consists of splitting the previous list S prev in a set of 'centers' C 
and a new list of vectors S that will be used for the next sieve. For each vector v in 
Sprev, the algorithm first checks if a vector c in C exists that is close to v. If this is the 
case, then we add the difference v — c to S pre y If this is not the case, then v is added to 
C. Since the set C consists of vectors with a bounded norm and a specified minimum 
distance between any two points, one can bound the size of C from above using a result 
of Kabatiansky and Levenshtein l27ll regarding sphere packings. In other words, C will 
be sufficiently small, so that the list S will be sufficiently large. After applying the 
sieve, we discard all vectors in C and apply the sieve again to the vectors in S prev = S. 

At each iteration of the sieve, the maximum norm of the vectors in the list decreases 
from some constant R to at most yR, where y is some geometric factor smaller than 1 . 
Nguyen and Vidick conjecture that throughout the algorithm, the longest vectors in 
S are uniformly distributed over the space of all n-dimensional vectors with norms 
between yR and R. 

Heuristic 1. H41V At any stage of Algorithm^ the vectors in SP\C n (yR,R) are uni- 
formly distributed in C n (yR,R), where C n {r\ , ri) — {x £ W : r\ < ||x|| < r{\. 

2.1.2 Classical complexities. 

In Line [TT] of Algorithm [T| we have highlighted an application of a search subroutine 
that could be replaced by a quantum search. Using a standard classical search algo- 
rithm for this subroutine, under this heuristic assumption Nguyen and Vidick give the 
following estimate for the time and space complexity of their algorithm. 

Lemma 1. 4471/ On a classical computer, assuming that Heuristic\l\holds, Algorithm\J\ 
will return a shortest vector of a lattice in time at most 2°- 415 "+°(") and space at most 

20.208«+o(n) 

2.1.3 Quantum complexities. 

If we use a quantum search subroutine in Line [TT] the complexity of this subroutine 
decreases from <9(|C|) to 0(y /f \C\). Since this search is part of the bottleneck for 
the time complexity, applying a quantum search here will decrease the running time 
significantly. Note that in Line[l5] it also seems like a search of a list is performed. In 
reality, this final search of S prev can be done in constant time by using appropriate data 
structures, e.g., by keeping the vectors in S and 5 pre v sorted from short to long, or by 
manually keeping track of the shortest vector in S. 

Since replacing the classical search by a quantum search does not change the inter- 
nal behaviour of the algorithm, the estimates and heuristics are as valid as they were 
in the classical setting. The time complexity does change, as the following theorem 
explains. For details, see Appendix lAl 

Theorem 1. On a quantum computer, assuming that Heuristic\l\holds, Algorithm^ 
will return a shortest vector of a lattice in time 2°- 312 "+"(") and space 2°- 208,! + o ("). 
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In other words, applying quantum search to Nguyen and Vidick's sieve algorithm 
leads to a 25% decrease in the exponent of the runtime. 

2.2 The Heuristic Algorithm of Wang et al. 

To improve upon the time complexity of the algorithm of Nguyen and Vidick, Wang et 
al. If57l introduced a further trade-off between the time complexity and the space com- 
plexity. Their algorithm uses two lists of centers C\ and C2 and two geometric factors 
71 and 72, instead of the single list C and single geometric factor 7 in the algorithm of 
Nguyen and Vidick. For details, see ll57l . 

2.2.1 Classical complexities. 

The classical time complexity of this algorithm is bounded from above by 0(\S\ ■ (|Ci| + 
IC2D), while the space required is at most 0(\S\ + \C\ \ + |C?|). Optimizing the constants 
71 and 72 leads to 71 = 1.0927 and Ji — > 1, with an asymptotic time complexity of less 
than 2 a384 "+°M and a space complexity of about 2 a256 "+°M . 

2.2.2 Quantum complexities. 

By using the quantum search algorithm for searching the lists C\ and C2, the time com- 
plexity is reduced to 0(\S\ ■ (W\Ci \ + -\/jQ>T)), while the space complexity remains 
0(\S\ + \Ci\ + I C2 1 ) - Re-optimizing the constants for a minimum time complexity 
leads to 71 — > \/2 and Ji — > 1, leading to the same time and space complexities as 
the quantum-version of the algorithm of Nguyen and Vidick. Due to the simpler algo- 
rithm and smaller constants, a quantum version of the algorithm of Nguyen and Vidick 
will most likely be more efficient than a quantum version of the algorithm of Wang et 
al. 



3 Saturation algorithms 

Saturation algorithms were only recently introduced by Micciancio and Voulgaris 11391 . 
and further studied by Pujol and Stehle [44 1 and Schneider 0491 . Instead of starting 
with a huge list and making the list smaller and smaller, this method starts with a small 
or empty list, and keeps adding more and more vectors to the list. Building upon the 
same result of Kabatiansky and Levenshtein about sphere packings 0271 . we know that 
if the list reaches a certain size and all vectors have a norm bounded by a sufficiently 
small constant, two of the vectors in the list must be close to one another. Thus, if we 
can guarantee that new short lattice vectors keep getting added to the list, then at some 
point, with high probability, we can find a shortest vector as the difference between two 
of the list vectors. 

3.1 The Provable Algorithm of Pujol and Stehle 

Using the Birthday paradox, Pujol and Stehle 11441 showed that the constant in the 
exponent of the time complexity of the original algorithm of Micciancio and Voul- 
garis 11391 Section 3.1] can be reduced by almost 25%. The algorithm is presented in 
Algorithmic 
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Algorithm 2 The Provable Saturation Algorithm of Pujol and Stehle 

Input: An LLL-reduced basis B of L, and constants fx ~ X\ (L), t, > |, R > 2t, 
Output: A non-zero lattice vector s of norm less than fi 

' n 

T ^0 

Ni g« [o,^r x -i] 

for z <- 1 to AT] do 

xe R B»(0,|m) 
v'^x mod^(S) 

while t «- search te r(||v'-t|| < y||v'||) do 

v' <- v' - 1 
v v' — X 
if ||v|| >/?jUthen 

r^ru{v} 

for i «- 1 to do 

x£s B«(0,^/i) 
v'^x mod J 21 (5) 

while t «- search te r(||v'-t|| < 7||v'||) do 

V <- V - 1 
v v' — X 
5^5U{v} 

{si,S2} <— search{ Sl S2 } G5xS (0< ||si-s 2 || <m) 
return si — s 2 



3.1.1 Description of the algorithm. 

The algorithm can roughly be divided in three stages, as follows. 

First, the algorithm generates a long list T of lattice vectors with norms between Rji 
and ||B|| . This 'dummy' list is only used for technical reasons, and in practice one does 
not seem to need such a list. Note that besides the actual lattice vectors v, to generate 
this list we also consider slightly perturbed vectors v' which are not in the lattice, but 
are at most rji away from v. This is purely a technical modification to make the proofs 
work, as experiments show that without such perturbed vectors, saturation algorithms 
also work fine 108114411491. 

After generating T, we generate a fresh list of short lattice vectors S. The procedure 
for generating these vectors is similar to that of generating T, with two exceptions: (i) 
now all sampled lattice vectors are added to S (regardless of their norms), and (ii) the 
vectors are reduced with the dummy list T rather than with vectors in S. The latter 
guarantees that the vectors in S are i.i.d. 

Finally, when S has been generated, we hope that it contains two distinct lattice 
vectors Sj, s 2 that are at most jj. apart. So we search S x S for a pair {si,s 2 } of close, 
distinct lattice vectors, and return their difference. 

3.1.2 Classical complexities. 

With a classical search applied to the subroutines in Lines [7] [16] and [20] Pujol and 
Stehle obtained the following results. 
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Lemma 2. H44V Let B, s» 0.9476 and R 3.0169. 77ien, Ms/ng polynomially many 
queries to Algorithm^ we can find a shortest vector in a lattice with probability expo- 
nentially close to 1, using time at most 2 2 - 465 "+°(") and space at most 2 1 - 233 "+°("). 

3.1.3 Quantum complexities. 

Applying a quantum search algorithm to the search-subroutines in Lines [7] [16] andl20l 
leads to the following result. Details are given in Appendix iBl 

Theorem 2. Let E, f=a 0.9086 and R ~ 3.1376. Then, using polynomially many queries 
to the quantum version of Algorithm^ we can find a shortest vector in a lattice with 
probability exponentially close to 1, using time at most 2 1 ' 799n +°( n ) anc { space at most 

2l.286n+o(n) 

So the constant in the exponent of the time complexity decreases by about 27% 
when using quantum search. 

Remark. If we generate S in parallel, we can potentially achieve a time complexity 
of 2 1 - 470 "+"M, by setting £ « 1.0610 and R « 4.5166. However, it would require 
exponentially many parallel quantum computers of size 0(n) to achieve a substantial 
theoretical speed-up over the 2 1 • 7 ""+°(") of Theorem|2] (Recall that quantum searching 
a list of c" elements (with c > 1) requires the list to be stored in quantumly addressable 
classical memory (versus regular quantum memory) and otherwise can be searched 
using only 0(n) qubits and 0(c"' 2 ) queries to the list.) 

3.2 The Heuristic Algorithm of Micciancio and Voulgaris 

In practice, just like sieving algorithms, saturation algorithms are much faster than 
their worst-case running times and provable time complexities suggest. Micciancio 
and Voulgaris [39] gave a heuristic variant of their saturation algorithm, for which they 
could not give a (heuristic) bound on the time complexity, but with a better bound on 
the space complexity, and a better practical time complexity. The algorithm is given in 
Algorithm^ 

3.2.1 Description of the algorithm. 

The algorithm is similar to Algorithm[2] with the following main differences: (i) we do 
not explicitly generate two lists S, T to apply the birthday paradox; (ii) we do not use 
the geometric factor y < 1 but always reduce a vector if it can be reduced; (iii) we also 
reduce the existing list vectors with newly sampled vectors, so that each two vectors 
in the list are pairwise Gauss-reduced; and (iv) instead of specifying the number of 
iterations, we run the algorithm until we reach a predefined number of collisions Cq. 

3.2.2 Classical complexities. 

Micciancio and Voulgaris state that the algorithm above has an experimental time com- 
plexity of about 2 52 " and a space complexity which is most likely bounded from above 
by 2 208 " due to the kissing constant ||39l Section 5]. This is much faster than the 
theoretical time complexity of 2 1 799 " of the quantum-enhanced saturation algorithm 
discussed in Section lXTl 
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Algorithm 3 The Heuristic Saturation Algorithm of Micciancio and Voulgaris 
Input: An LLL-reduced basis B of L, and a constant Co 
Output: A short non-zero lattice vector s 

l: S <-{<>} 

2: 

3: C <- 

4: while c < Co do 
5: if Q ^ then 

6: V £ R Q 

7: e<-e\w 

8: else 

9: ve*B„(0,||B||)ru 

10: while s <- search seS (max{||s||, ||v — s||} < ||v||) do 
11: V V — S 

12: while s <- search seS (max{||v||, ||v — s||} < |js||) do 

13: 5^5\{S> 

14: e^eu{v- S } 

15: ifv = 0then 

16: c<-c+l 

17: else 

18: 5^5U{v} 

19: s <- argmin veS \ {0} ||v|| 
20: returns 



Remark 1. In practice, the algorithm of Micciancio and Voulgaris is faster than the 
one of Nguyen and Vidick of Section l2~Tl even though the leading term in the exponent 
is larger. So asymptotically, this algorithm is dominated by the algorithm of Nguyen 
and Vidick, but in practice and for small dimensions, the algorithm of Micciancio and 
Voulgaris seems to perform better. 

Remark 2. Schneider states [49 1 that the time complexity scales like 2°- 57n ~ 23 - 5 , in- 
stead of the 2 0,52 " claimed by Micciancio and Voulgaris. Although asymptotically this 
time complexity is worse than the one of Micciancio and Voulgaris, the cross-over point 
of these rough approximations is around n ps 470. So for most values of n that SVP 
solvers handle in practice, the term —23.5 is more significant than the small increase 
caused by n, and the conjectured time complexity of Schneider is better than that of 
Micciancio and Voulgaris. 

3.2.3 Quantum complexities. 

To this heuristic algorithm, the quantum speed-ups can also be applied. Generally, 
these saturation algorithms generate a list S of reasonably short lattice vectors by (i) 
first sampling a long, random lattice vector v G L; (ii) reducing the vector v with lattice 
vectors already in S; (iii) possibly reducing the vectors in S with this new vector v; and 
(iv) finally adding v to S. The total classical time complexity of these algorithms is of 
the order l^l 2 due to (ii) and (iii), but by applying quantum speed-ups to these steps, 
this becomes \S\ 3 ^ 2 . This means that the exponent in the time complexity is generally 
reduced by about 25%, which is comparable to the improvement in Section [3T1 In 
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practice, we therefore expect a time complexity of about 2 for the heuristic algo- 
rithm of Micciancio and Voulgaris with quantum search speed-ups, with constants that 
may make this algorithm faster than the sieving algorithm of Section |2~TI 
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A Analysis of the Sieve Algorithm of Nguyen and Vidick 



Nguyen and Vidick showed that if their heuristic assumption holds, the time and space 
complexities of their algorithm can be bounded from above as follows. 

Lemma 3. I\41V On a classical computer, assuming Heuristic\l\ holds, Algorithm^ 
will return a shortest vector of a lattice in time 2 2c *"+°( n ) and space 2 Ch " + "("\ where 
| < 7 < 1 and 

c* = -lDg 2 (y)-ilo g2 (l-£). (l) 

To obtain a minimum time complexity, y should be chosen as close to 1 as possible. 
Letting y— >• 1 leads to an asymptotic time complexity of less than 2°- 415 "+°(") and an 
asymptotic space complexity of less than 2°- 208 "+°M. 

To obtain these estimates, it is first noted that the sizes of S and C are bounded 
from above by 2 e A n+ °M. The space complexity is therefore bounded from above by 
0(\S\ + \C\) = 2 C * M+ °M, and since for every element in S the algorithm has to search 
the list C, the time complexity is bounded from above by 0(\S\ ■ |C|) = 2 2ch " + °( n \ 

Using Graver's algorithm for searching the list C, the time complexity decreases to 
6(\S\ ■ y/\C\) — 2? Cl ' n+ °( n \ while the space complexity remains the same. This leads 
to the following result. 

Lemma 4. On a quantum computer, assuming Heuristic Q] holds, Algorithm [7] will 
return a shortest vector of a lattice in time 2? c, '" +0 ^ and space 2 Ch " + "("\ 

Optimizing y to obtain a minimum time complexity again corresponds to letting 
y tend to 1 from below, leading to an asymptotic time complexity of 2°' 312 "+°<") and 
space complexity of 2°- 208 "+"("), as stated in Theorem[T] 

B Analysis of the Saturation Algorithm of Pujol and 
Stehle 

In the classical setting, the time complexities of the different parts of the algorithm are 
as follows. The constants are explained in the lemma below. 

• Cost of generating T: 0(N^ ax ■ \T\) = 2( c s+ 2 '>)"+«("). 

• Cost of generating S: 0(N 2 ■ \T\) = 2 {c g +c b /2+c t )n+o("). 

• Cost of searching S for a pair of close vectors: <5(|S| 2 ) = 2( 2e *+ c »)" +0 (") . 

The space complexity is at most 0(\T\ + \S\) = 2 ma < c '- c s+ c i>l 2 )"+"(") . This leads to the 
following lemma. 

Lemma 5. H44V Let 4 > \ and R > 2^, and suppose jX > Ai (L). Then, with c\,, c t , c g , 
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Nb, Nv, N g , jVj" ax , N2 chosen according to: 

c b = log 2 (fl) +0.401, Nb = 2 c >> n+o{ "\ (2) 

c, = \log 2 (l + ^L^j +0.401, A r r = 2 ^+°W, (3) 

Cg = 5 log2 (4^1) ' ^ G = 2Csn+ ° (n) ' (4) 

jymax _ 2(c g +c t )n+o(n) ^ ^ = 2( c «+ c */ 2 ) n + (") ) (5) 

vWf/i probability at least i, Algorithm\2\returns a lattice vectors G L\ {0} w/fn ||s|| < 
jli, in fime af most 2 m+0 M ant/ space at most 2 S "+°M, where t and s are given by 

t = max (c g + 2c, , c g + y + c, , 2c g + c&j , 5 = max (c, , c ? + y ^ . (6) 

In the quantum setting, the costs are as follows. 

• Cost of generating T: 6(N^ ax ■ y/\f\) = 2 (c s +3c > / 2 )"+"(") . 

• Cost of generating S: 0(N 2 ■ y/fT\) = 2(%+ e */ 2 + c '/ 2 )"+°("). 

• Cost of searching S for a pair of close vectors: ^( ^/\S\ I ) = 2 { - c s +c <>l 2 )"+ ( n ) . 

The total space complexity is still the same as in the classical setting, i.e., at most 
0{\T\ + \S\) = 2 max (^+ c -*/ 2 )"+"(«). This leads to the following lemma. 

Lemma 6. Let <^ > 5 andR > 2%, and suppose }X > X\(L). Then, with c b , c t , c g , Nb, 
Ny, Nq, N™*, N2 chosen according to Equations (0 to (0, with probability at least 4», 
Algorithm\2\returns a lattice vector S£i\ {0} with |s| < jl on a quantum computer 
in time at most 2'" +0 (") and space at most 2 sn+ "( n \ where t and s are given by 



3c, c b c t c b \ _ / c b 

-y,c, + y + y+, + y J, s = msx{c t ,c g + - 



Optimizing t, and R for the minimum time complexity, we get % m 0.9086 and R m 
3.1376 as in Theorem|2] Note that if S is generated in parallel with exponentially many 
quantum computers, the cost of the second part of the algorithm becomes negligible, 
and the exponent in the time complexity changes to 

3C > I ° h \ (Q\ 

-y^ + yj. (8) 

In that case, the optimal choice of | and R (with respect to minimizing the time com- 
plexity) would be 4 w 1.0610 and R 4.5166, leading to a time complexity of less 
than 2 1 - 470 " + °("). 



C Other SVP algorithms 
C.l Enumeration 

Recall that enumeration considers all lattice vectors inside a giant ball around the ori- 
gin that is known to contain at least one lattice vector. Let L be a lattice with basis 
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{bj , . . . ,b„}. Consider each lattice vector u € L as a linear combination of the basis 
vectors, i.e., u = £,-M;b,-. Now, we can represent each lattice vector by its coefficient 
vector , . . . , u n ). We would like to have all combinations of values for (u {,..., u„) 
such that the corresponding vector u lies in the ball. We could try any combination and 
see if it lies within the ball by computing the norm of the corresponding vector, but 
there is a smarter way that ensures we only consider vectors that lie within the ball and 
none that lie outside. 

To this end, enumeration algorithms search from right to left, by identifying all val- 
ues for u n such that there might exist u\,... ,u' n _ 1 such that the vector corresponding 
to (u[ , . . . , u' n _ j , u n ) lies in the ball. To identify these values u\ , . . . , u' n _ j , enumeration 
algorithms use the Gram-Schmidt orthogonalization of the lattice basis as well as the 
projection of lattice vectors. Then, for each of these possible values for u n , the enumer- 
ation algorithm considers all possible values for m„_ i and repeats the process until it 
reaches possible values for u\. This leads to a search which is serial in nature, as each 
value of u„ will lead to different possible values for u n -\ and so forth. Unfortunately, 
we can only really apply the quantum search algorithm to problems where the list of 
objects to be searched is known in advance. 

One might suggest to forego the smart way to find short vectors and just search 
all combinations of (u\, . . . ,u„) with appropriate upper and lower bounds on the dif- 
ferent Ui's. Then it becomes possible to apply quantum search, since we now have a 
predetermined list of vectors and just need to compute the norm of each vector. How- 
ever, it is doubtful that this will result in a faster algorithm, because the recent heuristic 
changes by Gama et al. |[T8l have reduced the running time of enumeration dramatically 
(roughly by a factor 2 n l 2 ) and these changes only complicate the search area further by 
changing the ball to an ellipsoid. There seems to be no simple way to apply quantum 
search to the enumeration algorithms that are currently used in practice, but perhaps 
the algorithms can be modified in some way. 

C.2 Voronoi cell 

Consider a set of points in the Euclidean space. For any given point in this set, its 
Voronoi cell is the region that contains all vectors that lie closer to this point than to 
any of the other points in the set. Now, given a Voronoi cell, we define a relevant 
vector to be any vector in the set whose removal from the set will change this particular 
Voronoi cell. If we pick our lattice as the set and we consider the Voronoi cell around 
the zero vector, then any shortest vector is also a relevant vector. Furthermore, given the 
relevant vectors of the Voronoi cell we can solve the closest vector problem in 2 2n+ °W 
time. 

So how can we compute the relevant vectors of the Voronoi cell of a lattice LI 
Micciancio and Voulgaris [38 1 show that this can be done by solving 2" — 1 instances 
of CVP in the lattice 2L. However, in order to solve CVP we would need the rele- 
vant vectors which means we are back to our original problem. However, Micciancio 
and Voulgaris show that these instances of CVP can also be solved by solving several 
related CVP instances in a lattice of lower rank. They give a basic and an optimized ver- 
sion of the algorithm. The basic version only uses LLL as preprocessing and solves all 
these related CVP instances in the lower rank lattice separately. As a consequence, the 
basic algorithm runs in time 2 3 - 5 "+ (") and in space 2 n+0 W, The optimized algorithm 
uses a stronger preprocessing for the lattice basis, which takes exponential time. But 
since the most expensive part is the computation of the Voronoi relevant vectors, this 
extra preprocessing time does not increase the asymptotic running time. In fact, hav- 
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ing the reduced basis decreases the asymptotic running time to <5(2 3 "). Furthermore, 
the optimized algorithm employs a trick that allows it to reduce 2 k CVP instances in 
a lattice of rank k to a single instance of an enumeration problem related to the same 
lattice. The optimized algorithm solves CVP in time <5(2 2 ") using 0(2") space. 

Now, in the basic algorithm, it would be possible to speed up the routine that solves 
the CVP given the Voronoi relevant vectors using a quantum computer. It would also 
be possible to speed up the routine that removes non-relevant vectors from the list 
of relevant vectors using a quantum computer. Combining these two changes gives a 
quantum algorithm with an asymptotic running time (5(2 2 ' 5n ), which is still slower than 
the optimized classical algorithm. It is not possible to apply these same speedups to 
the optimized algorithm due to the aforementioned trick with the enumeration problem. 
The algorithm to solve this enumeration problem makes use of a priority queue, which 
means the search is not trivially parallellized. Once again, there does not seem to be a 
simple way to apply quantum search to this special enumeration algorithm. However, it 
may be possible that the algorithm can be modified in such a way that quantum search 
can be applied. 
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